What is the Children’s Online Privacy Protection Act (COPPA)?
The Children’s Online Privacy Protection Act or COPPA is a federal law enacted in 1998 that protects the privacy of children under the age of 13 in relation to internet usage. The goal of the law is to give parents control over what information their young children are able to access while using the internet. The law takes into account the dynamic nature of the internet and applies to commercial websites and online services that collect, use, or disclose personal information from children under the age of 13, as well as third parties that may also collect personal information from children, such as information collected by an ad network for the purposes of targeted marketing campaigns.
Moreover, the COPPA also applies to operators of general websites or online services with actual knowledge that they are collecting, using, or disclosing personal information of children under the age of 13. The COPPA also outlines various factors in determining whether or not a website is specifically designed or marketed towards children including the subject matter, visual content, use of animated characters, and the music or audio content of the website, among a host of others. Under the COPPA, operators of websites and online services are obliged to do the following:
- Post a comprehensive and clear online privacy policy describing their information practices in regards to personal information collected from children online
- Provide direct notice to parents and obtain verifiable parental consent before collecting a child’s information online, with limited exception
- Give parents the option to consent to the operator’s collection and internal use of a child’s information while prohibiting the operator from disclosing this information to third parties, unless this disclosure is integral to the site or service and is made clear to parents
- Provide parents access to their children’s information and provide them with the opportunity to review and or have this information deleted at their request
- Give parents the opportunity to prevent the further online collection or use of their child’s personal information
- Maintain the confidentiality, security, and integrity of any information that is collected from children, and ensure that any third party who receives this information also maintains the confidentiality, security, and integrity of the information
- Retain information collected from a child online for only as long as is necessary to fulfill the purpose for which this information was collected, and delete this information by taking reasonable measures to protect against any unauthorized use or disclosure
- Never make a child’s online participation in an online activity conditional upon that child providing their personal information, unless their personal information is reasonably necessary to participate in said activity
What forms of personal information are covered by the COPPA?
The COPPA defines personal information in the following categories:
- First and last name
- A home or other form of physical address including a street name, apartment number, and the name of a city or town
- Online contact information
- A screen or username that functions as or in relation to online contact information
- A telephone number
- A social security number
- Any other consistent online identifier that can be used to recognize a user over time or across multiple websites or online services
- A video, photo, or audio file that contains a child’s image or voice
- Geolocation information that can be used to identify a street name, city, or town
- Information concerning a child or their parents that the operator collects online and uses in combination with any of the identifiers detailed above
What are the penalties for violating COPPA?
Operators of online websites who are found guilty of violating the COPPA can face a fine of up to $43,792 for each individual violation. These fines are issued by the Federal Trade Commission, and are based upon a variety of factors. These factors include the severity of the violation in question, whether the operator has previously been found guilty of violating the COPPA, the number of children involved in the violation, the type and amount of personal information that was collected, whether the information was shared with third parties, and the size of the website or company accused of said violation. Based on these various factors, some online businesses have been fined hundreds of millions of dollars in relation to COPPA violations.
To provide an example of the potential severity of COPPA fines, Google LLC and its subsidiary YouTube LLC were forced to pay fines totaling 170 million in 2019 to the FTC and New York Attorney General respectively. These fines were based upon Youtube’s failure to provide consent to parents in relation to personal information they collected from children using the website. It was alleged that YouTube then used this information to generate millions of dollars through targeted ad campaigns. The settlement required Google and Youtube to pay $136 million to the FTC and another $34 million dollars to the New York Attorney General due to these companies’ violation of the COPPA.
Alternatively, the popular social media website TikTok, previously known as Musical.ly, was fined 5.7 million dollars by the FTC in 2019 in relation to COPPA violations. In the lawsuit, the FTC alleged that the website illegally collected personal information from children. Despite the fact the operators of Musical.ly knew how many children were using the app, they still failed to collect parental consent before collecting names, email addresses, and other forms of personally identifiable information. As a result, the actions of the company constituted a COPPA violation.
The goal of the COPPA was to provide children with some modicum of protection when sharing their personal information over the internet. While COPPA cannot prevent children from lying about their age when signing up for online accounts or sites, it does provide parents with an avenue for recourse when a child’s personal information is disclosed improperly. Moreover, it sets a guideline for operators of websites to follow in order to avoid this improper disclosure. As children are obviously not adults who can legally consent to have their information collected over the internet, it is important that there is legislation in place to protect their personal information and privacy.
